Polymarket had a rough Thursday. Attackers compromised a third-party vendor and injected a malicious script into the prediction market’s frontend, siphoning off $2.94 million from at least 11 user wallets.
Blockchain analyst Specter first flagged the drain, noting the script appeared to facilitate a phishing attack. Polymarket confirmed the breach on X, saying they’d contained the compromise and removed the affected dependency. They’ve promised full refunds to affected users.
This wasn’t some exotic zero-day exploit. The attackers went through a third-party vendor — a supply chain weak point that’s bitten crypto companies before and will bite them again.
The Polymarket incident was the 89th reported crypto security breach of Q2 2026, extending what’s already the most-hacked quarter on record by incident count. Total exploit losses for June stand at $74.9 million across 29 incidents. That’s actually down from April’s staggering $644 million, but still well above May’s $60.5 million.
Private key compromises accounted for 43% of exploit losses over the past 30 days — the single biggest attack vector by share.
Over 60% of World Cup bettors on Polymarket are first-time crypto users, which makes incidents like this particularly damaging. Many of them don’t have the security instincts that long-time crypto natives develop through scar tissue.
